To test, create a Moodle user account with an e-mail address (i.e. test@localhost.com) and run a forgot password test with both 'test@localhost.com' and 'Test@LocaLHOST.com' - you will only receive one e-mail for 'test@localhost.com'.

To test, create a Moodle user account with an e-mail address (i.e. test@localhost.com) and run a forgot password test with both 'test@localhost.com' and 'Test@LocaLHOST.com' - you will only receive one e-mail for 'test@localhost.com'.

Description

When using the forgot password tool, it performs a check using case-sensitive strings when using PgSQL because using WHERE $field=$value in PgSQL checks for case-sensitivity. I am unable to replicate using MySQL as MySQL does not check for case-sensitivity when using WHERE $field=$value.

username - the problem is that we lowercase it in login form, but technically there might be some non-lowercase case-sensitive usernames (probably some custom SSO auth); my 1 to simply lowercase the username to make it work exactly the same as login page ( some note explaining why)

email - the first part of email address (mailbox) is actually case sensitive, the domain is not - we can not lowercase here. There is another problem with special LIKE characters that can be part of the email or submitted text: "_" and "%", I think these should be properly escaped, our DML can do that (I hope).

Petr Skoda
added a comment - 20/Aug/11 7:27 PM - edited hehe, bloody mysql caused this...
username - the problem is that we lowercase it in login form, but technically there might be some non-lowercase case-sensitive usernames (probably some custom SSO auth); my 1 to simply lowercase the username to make it work exactly the same as login page ( some note explaining why)
email - the first part of email address (mailbox) is actually case sensitive, the domain is not - we can not lowercase here. There is another problem with special LIKE characters that can be part of the email or submitted text: "_" and "%", I think these should be properly escaped, our DML can do that (I hope).
Are you going to work on this or should I?

Hmm, the use of $user = get_complete_user_data('username', $p_username); in the forgot user script seems completely wrong - it is supposed to be used when constructing $USER global, we should probably fix the docs there...

Petr Skoda
added a comment - 20/Aug/11 7:34 PM Hmm, the use of $user = get_complete_user_data('username', $p_username); in the forgot user script seems completely wrong - it is supposed to be used when constructing $USER global, we should probably fix the docs there...